Refactor the PR checks workflow into two workflows:
PR checks and Runner checks.
This does not change the actual check jobs that are run.
It also does not change the expected check names
(which rely only on the job name, not the workflow name).
This makes it easier to inspect workflow run summaries in the UI
and to separately retry subsets of failed jobs in case of flakiness.
In future we will clean up the Runner checks,
since this is a deprecated component.
Ensure that this succeeds even if the legacy CLR tracer is not enabled.
The combination of the regular tracer and the SIP workaround within Actions
should be sufficient for this to pass.
Add the missing `$CODEQL_RUNNER` prefix to the autobuild command line.
This intermediate process works around System Integrity Protection,
allowing the tracer to start the C# extractor for the dotnet builds
within the autobuild process.
The test used to pass without this because the legacy CLR tracer bypassed SIP
while dotnet 5 was used on the Actions virtual environment.
Now that the virtual environment uses dotnet 6, the CLR tracer no longer works,
and we need to explicitly work around SIP.
This test will eventually be replaced by an internal integration test for the
equivalent functionality in the CLI. For now, this change makes the test
continue to pass.
Without this, the tracer will not be injected on MacOS, as we need the
runner to circumvent SIP.
Also add a test that tests the autobuild-action to exercise this code path.
This commit adds the packs and queries from the actions input to the
config file used by the CodeQL CLI.
When the `+` is used, the actions input value is combined with the
config value and when it is not used, the input value overrides the
config value.
This commit also adds a bunch of integration tests for this feature.
In order to avoid adding too many new jobs, all of the tests are
run sequentially in a single job (matrixed across relevant operating
systems and OSes).
This also removes the .github/workflows/update-required-checks.yml
workflow. This script needs to be run locally by someone who has
admin privileges on the repo.
